-
-
[求助]关于拦截读MSR_LSTAR操作
-
发表于:
2017-7-24 18:19
3337
-
uCPUBase = VmxAdjustControls(0, MSR_IA32_VMX_PROCBASED_CTLS)
uCPUBase |= CPU_BASED_ACTIVATE_MSR_BITMAP; // 拦截MSR操作
//For Win10
// 下面的代码开启RDTSC事件
uCPUBase |= CPU_BASED_RDTSC_EXITING;
uCPUBase |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS;
__vmx_vmwrite(CPU_BASED_VM_EXEC_CONTROL, uCPUBase);
PUCHAR bitMapReadLow = (PUCHAR)g_VMXCPU[uCPUID].pMSRBitmap; // 0x00000000 - 0x00001FFF
PUCHAR bitMapReadHigh = bitMapReadLow + 1024; // 0xC0000000 - 0xC0001FFF
RTL_BITMAP bitMapReadLowHeader = { 0 };
RTL_BITMAP bitMapReadHighHeader = { 0 };
RtlInitializeBitMap(&bitMapReadLowHeader, (PULONG)bitMapReadLow, 1024 * 8);
RtlInitializeBitMap(&bitMapReadHighHeader, (PULONG)bitMapReadHigh, 1024 * 8);
RtlSetBit(&bitMapReadLowHeader, MSR_IA32_FEATURE_CONTROL); // MSR_IA32_FEATURE_CONTROL
RtlSetBit(&bitMapReadLowHeader, MSR_IA32_DEBUGCTL); // MSR_DEBUGCTL
RtlSetBit(&bitMapReadHighHeader, MSR_LSTAR - 0xC0000000); // MSR_LSTAR
// VMX MSRs
for (ULONG i = MSR_IA32_VMX_BASIC; i <= MSR_IA32_VMX_VMFUNC; i++)
RtlSetBit(&bitMapReadLowHeader, i);
__vmx_vmwrite(MSR_BITMAP, g_VMXCPU[uCPUID].pMSRBitmap_PA.QuadPart);这样开启MSR Bitmap 对不 问什么我在vmexit事件里面拦截不到__readmsr(MSR_LSTAR)的操作
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
